From e5590ea5ec0c13043d2b71110c2eba49384a0de2 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 28 Jul 2005 20:52:55 +0000 Subject: [PATCH] work on user transition --- refpolicy/policy/modules/kernel/terminal.if | 38 +++++++++++++++++++++ refpolicy/policy/modules/services/ssh.if | 6 ++++ refpolicy/policy/modules/services/ssh.te | 38 +++++++++------------ 3 files changed, 61 insertions(+), 21 deletions(-) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index b3a45404..07b18929 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -366,6 +366,44 @@ interface(`term_dontaudit_getattr_all_user_ptys',` dontaudit $1 ptynode:chr_file getattr; ') +######################################## +## +## Set the attributes of all user +## pty device nodes. +## +## +## The type of the process performing this action. +## +# +interface(`term_setattr_all_user_ptys',` + gen_require(` + attribute ptynode; + class dir r_dir_perms; + class chr_file setattr; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir r_dir_perms; + allow $1 ptynode:chr_file setattr; +') + +######################################## +## +## Relabel to all user ptys. +## +## +## The type of the process performing this action. +## +# +interface(`term_relabelto_all_user_ptys',` + gen_require(` + attribute ptynode; + class chr_file relabelto; + ') + + allow $1 ptynode:chr_file relabelto; +') + ######################################## ## ## Read and write all user ptys. diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 24770b87..ff92d99f 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -77,6 +77,12 @@ template(`ssh_per_userdomain_template',` allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms; allow $1_t $1_home_ssh_t:sock_file create_file_perms; + # inheriting stream sockets is needed for "ssh host command" as no pty + # is allocated + # cjp: should probably fix target to be an attribute for ssh servers + # or "regular" (not special like sshd_extern_t) servers + allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms; + # ssh client can manage the keys and config allow $1_ssh_t $1_home_ssh_t:file create_file_perms; allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read }; diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 3e2fffcc..a04588d3 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -72,30 +72,33 @@ seutil_read_config(sshd_t) # Allow checking users mail at login mta_getattr_spool(sshd_t) +tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t ptyfile:chr_file relabelto; + term_use_all_user_ptys(sshd_t) + term_setattr_all_user_ptys(sshd_t) + term_relabelto_all_user_ptys(sshd_t) + + userdom_spec_domtrans_all_users(sshd_t) + userdom_signal_all_users(sshd_t) +',` + userdom_spec_domtrans_unpriv_users(sshd_t) + userdom_signal_unpriv_users(sshd_t) +') + optional_policy(`rpm.te',` rpm_use_script_fd(sshd_t) ') ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` - userdom_spec_domtrans_all_users(sshd_t) - userdom_signal_all_users(sshd_t) - optional_policy(`xauth.te',` domain_trans(sshd_t, xauth_exec_t, userdomain) ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr }; - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms; ',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) - optional_policy(`xauth.te',` domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ') @@ -104,14 +107,7 @@ tunable_policy(`ssh_sysadm_login',` # display the tty. # some versions of sshd on the new SE Linux require setattr allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms; ') - -# for when the network connection breaks after running newrole -r sysadm_r -dontaudit sshd_t sysadm_devpts_t:chr_file setattr; - ') dnl endif TODO #################################